1 reply

The workaround listed in the APAR itself is to expand the number of rules selected in your Historical Correlation Profile. This issue has to do with the speed at which results are returned. Only testing against one rule returns that data much faster than expected on hardware systems. Due to the results being returned so quickly, the result set isn't completely captured and the following message is written in the logs:

About the workaround in IV98246If you have historical correlation testing against a single or very small number of rules, you might experience this issue and see the above error message in the logs, especially on higher end/hardware appliances. VMs are less prone to hit this issue in our testing because these installations are typically on lower-tiers of hardware and IOPS are slower than physical appliances. If you are concerned about this issue or if you see this message appearing in your logs you can open a case with QRadar Support. Understanding how your historical correlation profile is written and the rules you are evaluating might allow us to give you some advice on how to proceed further. You can also adjust the number of rules being tested to expand to help prevent this issue while we work on a fix.

If you have follow-up questions or want to discuss this issue further here, feel free to ask any follow-up questions.